Sendmail vulnerability?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Sendmail vulnerability?

Post by spacebiscuit »

Hi,

I have a website which uses the sendmail function to send customers enquiries on my website.

Each morning I wake to find 'enquiries' which contain absolute gibberish.

For example:

but utri atic machine the d that we the room, and words he thought you of b=
ecause winked away into our equipment marble sanded unconcealed contempt. h=
e last


Is there some kind vulnerability with the sendmail function?

Is this something I should be concerned about or is it simply an inconvenience?

Why would someone do this?

Any feedback would be appreciated.

Thanks,

Rob.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

What's the sendmail function? Sendmail is a program which runs on UNIX-like systems. How are you invoking it? With mail() or with something like Swift Mailer? It's more likely that the web page which allows emails to be sent has a security hole in it.
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Post by spacebiscuit »

Hi I am invoking the mail finction as follows:

Code: Select all

mail($to, $subject, $body);
Any ideas?

Thanks,

Rob.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Where are the mails coming from and where are they going to?
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

May just be spam; you'd probably want to implement a captcha for the form in either case.
spacebiscuit
Forum Contributor
Posts: 390
Joined: Mon Mar 07, 2005 3:20 pm

Post by spacebiscuit »

Ok I have done some investigating and I think I have the answer.

Basically spammers use contact pages to send spam. It works by changing the variable data contained in the url of a submitted page. Although the 'to' email variable maybe hardcoded the spammers exploit a security whole by appending a 'bcc' variable and therefore each time the form is submitted it also sends to a list of emails in this field.

A full explanation can be found here with some measures which can be taken to protect against this security hole. Although not 100% full proof it has at least stopped the activity in my case:

http://www.phpbuilder.com/columns/ian_g ... hp3?page=2

Thanks,

Rob.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Even this forum you'll find a copule of good threads on e-mail injection...
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Post Reply